CVE-2014-7290 Atlas Systems Aeon XSS Vulnerability

CVE-2014-7290 Atlas Systems Aeon XSS Vulnerability

 

Exploit Title: Atlas Systems Aeon XSS Vulnerability

Product: Aeon

Vendor: Atlas Systems

Vulnerable Versions: 3.6 3.5

Tested Version: 3.6

Advisory Publication: Nov 12, 2014

Latest Update: Nov 12, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-7290

Solution Status: Fixed by Vendor

Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] (@justqdjing)

 

 

 

Advisory Details:

 

(1) Aeon

Aeon is special collections circulation and workflow automation software for your special collections library designed by special collections librarians.

Aeon improves customer service and staff efficiency while providing unparalleled item tracking, security and statistics.


What is Aeon?

“Aeon is request and workflow management software specifically designed for special collections libraries and archives. Aeon improves patron service and maximizes staff efficiency while providing unparalleled item tracking, security and statistics.The Aeon Web Interface enables your patrons to request items directly from your online catalog and finding aids for viewing in your reading room or ordering duplication and digital imaging services, and allows them to monitor fulfillment of their requests through a personalized web account. The Aeon Staff Client permits your staff to manage every step of every transaction, from shelf to patron and back again, with full control and ease. The Aeon Web Reports and custom search features provide quick access to complete patron and item request histories and offer a wide array of usage analyses”

 

About Atlas:

“Atlas Systems, Inc. is a software development company headquartered in Virginia Beach, VA dedicated to serving libraries. Founded in July 1995 with the mission of “promoting library excellence through efficiency,” Atlas is best known for creating  the ILLiad interlibrary loan management system now exclusively distributed by OCLC and used by more than 1,000 libraries worldwide. Focused on bringing the benefits of automation to library processes that have not been addressed by other software services, Atlas has introduced Ares, an electronic reserves solution, and Aeon, an online request and workflow management system specifically designed for special collections libraries and archives. Atlas takes a process-driven approach to software development. Atlas developers work closely with librarians first to understand the specific user services environment and then to design a system that improves service quality while achieving optimum efficiency and process control. Once the software has been created, Atlas provides implementation, training and ongoing product support, including continual development of new features and enhancements in response to client needs and desires. This workflow review and improvement approach to software design sets Atlas apart in the library automation market.”

 

 

(2) However, it is vulnerable to XSS Attacks.

(2.1) The first vulnerability occurs at “aeon.dll?” page, with “&Action” parameter.

(2.2) The second vulnerability occurs at “aeon.dll?” page, with “&Form” parameter.

 

 

Solutions:

2014-09-01: Report vulnerability to Vendor

2014-10-05: Vendor replied with thanks and vendor will change the source code

 

 

 

References:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s